Changing users' security behaviour towards security questions: A game based learning approach

Fallback authentication is used to retrieve forgotten passwords. Security questions are one of the main techniques used to conduct fallback authentication. In this paper, we propose a serious game design that uses system-generated security questions with the aim of improving the usability of fallback authentication. For this purpose, we adopted the popular picture-based "4 Pics 1 word" mobile game. This game was selected because of its use of pictures and cues, which previous psychology research found to be crucial to aid memorability. This game asks users to pick the word that relates to the given pictures. We then customized this game by adding features which help maximize the following memory retrieval skills: (a) verbal cues - by providing hints with verbal descriptions, (b) spatial cues - by maintaining the same order of pictures, (c) graphical cues - by showing 4 images for each challenge, (d) interactivity/engaging nature of the game.Comment: 6, Military Communications and Information Systems Conference (MilCIS), 2017. arXiv admin note: substantial text overlap with arXiv:1707.0807

ZETA - Zero-Trust Authentication: Relying on Innate Human Ability, not Technology

Reliable authentication requires the devices and channels involved in the process to be trustworthy; otherwise authentication secrets can easily be compromised. Given the unceasing efforts of attackers worldwide such trustworthiness is increasingly not a given. A variety of technical solutions, such as utilising multiple devices/channels and verification protocols, has the potential to mitigate the threat of untrusted communications to a certain extent. Yet such technical solutions make two assumptions: (1) users have access to multiple devices and (2) attackers will not resort to hacking the human, using social engineering techniques. In this paper, we propose and explore the potential of using human-based computation instead of solely technical solutions to mitigate the threat of untrusted devices and channels. ZeTA (Zero Trust Authentication on untrusted channels) has the potential to allow people to authenticate despite compromised channels or communications and easily observed usage. Our contributions are threefold: (1) We propose the ZeTA protocol with a formal definition and security analysis that utilises semantics and human-based computation to ameliorate the problem of untrusted devices and channels. (2) We outline a security analysis to assess the envisaged performance of the proposed authentication protocol. (3) We report on a usability study that explores the viability of relying on human computation in this context

Questionnaires, in-depth interviews and focus groups

With fast changing technologies and related human interaction issues, there is an increased need for timely evaluation of systems with distributed users in varying contexts (Pace, 2004). This has led to the increased use of questionnaires, in-depth interviews and focus groups in commercial usability and academic research contexts. Questionnaires are usually paper based or delivered online and consist of a set of questions which all participants are asked to complete. Once the questionnaire has been created, it can be delivered to a large number of participants with little effort. However, a large number of participants also means a large amount of data needing to be coded and analysed. Interviews, on the other hand, are usually conducted on a one-to-one basis. They require a large amount of the investigator’s time during the interviews and also for transcribing and coding the data. Focus groups usually consist of one investigator and a number of participants in any one session. Although the views of any one participant cannot be probed to same degree as in an interview, the discussions that are facilitated within the groups often result in useful data in a shorter space of time than that required by one-to-one interviews. All too often, however, researchers eager to identify usability problems quickly throw together a questionnaire, interview or focus group that, when analysed, produces very little of interest. What is often lacking is an understanding of how the research method design fits with the research questions (Creswell, 2003) and how to appropriately utilise these different approaches for specific HCI needs. The methods described in this chapter can be useful when used alone but are most useful when used together with other methods. Creswell (2003) provides a comprehensive analysis of the different quantitative and qualitative methods and howthey can be mixed and matched for overall better quality research. Depending on what we are investigating, sometimes it is useful to start with a questionnaire and then, for example, follow up some specific points with an experiment, or a series of interviews, in order to fully explore some aspect of the phenomenon under study. This chapter describes how to choose between and design questionnaires, interviews and focus group studies and using two examples illustrates the advantages of combining a number of approaches when conducting HCI research

Internet authentication based on personal history - a feasibility test

On the Internet, there is an uneasy tension between the security and usability of authentication mechanisms. An easy three-part classification is: 'something you know' (e.g. password); 'something you hold' (e.g. device holding digital certificate), and 'who you are' (e.g. biometric assessment) [9]. Each of these has well-known problems; passwords are written down, guessable, or forgotten; devices are lost or stolen, and biometric assays alienate users. We have investigated a novel strategy of querying the user based on their personal history (a 'Rip van Winkle' approach.) The sum of this information is large and well-known only to the individual. The volume is too large for impostors to learn; our observation is that, in the emerging environment, it is possible to collate and automatically query such information as an authentication test. We report a proof of concept study based on the automatic generation of questions from electronic 'calendar' information. While users were, surprisingly, unable to answer randomly generated questions any better than impostors, if questions are categorized according to appropriate psychological parameters then significant results can be obtained. We thus demonstrate the potential viability of this concept

Disagreeable Privacy Policies: Mismatches between Meaning and Users’ Understanding

Privacy policies are verbose, difficult to understand, take too long to read, and may be the least-read items on most websites even as users express growing concerns about information collection practices. For all their faults, though, privacy policies remain the single most important source of information for users to attempt to learn how companies collect, use, and share data. Likewise, these policies form the basis for the self-regulatory notice and choice framework that is designed and promoted as a replacement for regulation. The underlying value and legitimacy of notice and choice depends, however, on the ability of users to understand privacy policies. This paper investigates the differences in interpretation among expert, knowledgeable, and typical users and explores whether those groups can understand the practices described in privacy policies at a level sufficient to support rational decision-making. The paper seeks to fill an important gap in the understanding of privacy policies through primary research on user interpretation and to inform the development of technologies combining natural language processing, machine learning and crowdsourcing for policy interpretation and summarization. For this research, we recruited a group of law and public policy graduate students at Fordham University, Carnegie Mellon University, and the University of Pittsburgh (“knowledgeable users”) and presented these law and policy researchers with a set of privacy policies from companies in the e-commerce and news & entertainment industries. We asked them nine basic questions about the policies’ statements regarding data collection, data use, and retention. We then presented the same set of policies to a group of privacy experts and to a group of non-expert users. The findings show areas of common understanding across all groups for certain data collection and deletion practices, but also demonstrate very important discrepancies in the interpretation of privacy policy language, particularly with respect to data sharing. The discordant interpretations arose both within groups and between the experts and the two other groups. The presence of these significant discrepancies has critical implications. First, the common understandings of some attributes of described data practices mean that semi-automated extraction of meaning from website privacy policies may be able to assist typical users and improve the effectiveness of notice by conveying the true meaning to users. However, the disagreements among experts and disagreement between experts and the other groups reflect that ambiguous wording in typical privacy policies undermines the ability of privacy policies to effectively convey notice of data practices to the general public. The results of this research will, consequently, have significant policy implications for the construction of the notice and choice framework and for the US reliance on this approach. The gap in interpretation indicates that privacy policies may be misleading the general public and that those policies could be considered legally unfair and deceptive. And, where websites are not effectively conveying privacy policies to consumers in a way that a “reasonable person” could, in fact, understand the policies, “notice and choice” fails as a framework. Such a failure has broad international implications since websites extend their reach beyond the United States